if filter arg is passed to extractall() dont trigger rule

trailofbits · Dec 27, 2024 · dbfbc02 · dbfbc02
1 parent 6b4738c
commit dbfbc02
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 7 deletions.
diff --git a/python/tarfile-extractall-traversal.py b/python/tarfile-extractall-traversal.py
@@ -2,11 +2,9 @@
 import tarfile
 
 def get_parser():
-    parser = argparse.ArgumentParser(description='Process zip files.')
-    parser.add_argument('--path', type=str, required=True,
-                        help='Path to zip file')
-    parser.add_argument('--save-path', type=str, required=True,
-                            help='Output path')
+    parser = argparse.ArgumentParser(description="Process tar files.")
+    parser.add_argument("--path", type=str, required=True, help="Path to tar file")
+    parser.add_argument("--save-path", type=str, required=True, help="Output path")
     return parser
 
 
@@ -17,14 +15,12 @@ def extract_1(args):
     with tarfile.open(path) as f:
         f.extractall(save_path)
 
-
 def extract_2(args):
     path = args.path
     save_path = args.save_path
     # ruleid: tarfile-extractall-traversal
     tarfile.open(path).extractall(save_path)
 
-
 def extract_3(args):
     path = args.path
     save_path = args.save_path
@@ -33,25 +29,49 @@ def extract_3(args):
     tf.extractall(save_path)
 
 def extract_4(args, tarobj):
+    save_path = args.save_path
     # ruleid: tarfile-extractall-traversal
     tf = tarfile.open(mode='r', fileobj=None)
     tf.extractall(save_path)
 
 def extract_5(args, tarobj):
+    save_path = args.save_path
     # ok: tarfile-extractall-traversal
     tf = tarfile.open(mode='r', fileobj=None)
     tf.extractall(save_path, members=safu_members())
 
 def extract_6(args, tarobj):
+    save_path = args.save_path
     # ok: tarfile-extractall-traversal
     tf = tarfile.open(mode='r', fileobj=None)
     tf.extractall(members=safu_members(), numeric_owner=True, path=save_path)
 
 def extract_7(args, tarobj):
+    save_path = args.save_path
     # todoruleid: tarfile-extractall-traversal
     tf = tarfile.open(mode='r', fileobj=None)
     tf.extractall(members=None, numeric_owner=True, path=save_path)
 
+def extract_8(args):
+    path = args.path
+    save_path = args.save_path
+    # ok: tarfile-extractall-traversal
+    with tarfile.open(path) as f:
+        f.extractall(save_path, filter='data')
+
+def extract_9(args):
+    path = args.path
+    save_path = args.save_path
+    # ok: tarfile-extractall-traversal
+    tarfile.open(path).extractall(save_path, filter='data')
+
+def extract_10(args):
+    path = args.path
+    save_path = args.save_path
+    # ok: tarfile-extractall-traversal
+    tf = tarfile.open(path)
+    tf.extractall(save_path, filter='data')
+
 def run():
     parser = get_parser()
     args = parser.parse_args()
@@ -62,6 +82,9 @@ def run():
     extract_5(args)
     extract_6(args)
     extract_7(args)
+    extract_8(args)
+    extract_9(args)
+    extract_10(args)
 
 
 if __name__ == '__main__':

diff --git a/python/tarfile-extractall-traversal.yaml b/python/tarfile-extractall-traversal.yaml
@@ -39,3 +39,13 @@ rules:
           $TAR = tarfile.open(...)
           ...
           $TAR.extractall(..., members=$MEMBERS, ...)
+      - pattern-not: |
+          with tarfile.open(...) as $TAR:
+              ...
+              $TAR.extractall(..., filter=$FILTER, ...)
+      - pattern-not: |
+          tarfile.open(...).extractall(..., filter=$FILTER, ...)
+      - pattern-not: |
+          $TAR = tarfile.open(...)
+          ...
+          $TAR.extractall(..., filter=$FILTER, ...)